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An Exploration of the Legal and Regulatory 
Environment of Privacy and Security through 
Active Research, Guided Study, Blog Creation, 

and Discussion 

Alan R. Peslak 
arpl4@psu.edu 
Penn State University 
Dunmore, Pennsylvania 18512 USA 


Abstract 

One of the most important topics for today's information technology professional is the study 
of legal and regulatory issues as they relate to privacy and security of personal and business 
data and identification. This manuscript describes the topics and approach taken by the in¬ 
structors that focuses on independent research of source documents and cases. Posting and 
review of this research with a blog served as a successful springboard for discussion and anal¬ 
ysis of relevant privacy and security issues. The course was piloted in the spring of 2008 and 
received strong positive feedback. The course was successfully run again in 2009. Review of 
the process and implications for educators is presented. 

Keywords: Privacy, Security, Legal and Regulatory Environment of IT, Ethics 


1. BACKGROUND 

An area of rising importance for information 
technology professions is the growth of laws 
and regulations dealing with information and 
the use of information in society. This in¬ 
creased importance is mostly seen in rules 
and regulations regarding the privacy and 
security of data. But with this increased im¬ 
portance there has come little guidance on 
how to impart this knowledge to our infor¬ 
mation technology students. 

One of the key templates for developing in¬ 
formation systems and technology programs 
has been IS2002. IS 2002 Model Curriculum 
and Guidelines for Undergraduate Degree 
Programs in Information Systems is spon¬ 
sored by the Association for Computing Ma¬ 
chinery (ACM), Association for Information 
Systems (AIS), Association of Information 
Technology Professionals (AITP)and au¬ 
thored by John T. Gorgone, Gordon B. Davis, 
Joseph S. Valacich, Heikki Topi, David L. 
Feinstein, and Herbert E. Longenecker, Jr. 

The legal, regulatory, privacy, and security 
related issues are suggested to be covered 


in the following courses general courses 
(they are a very small portion of each 
course): 

IS 2002.1 - Fundamentals of Information 
Systems (Prerequisite: IS 2002.P0) 

information security, 

IS 2002.2 - Electronic Business Strategy, 
Architecture and Design (Prerequisite: IS 
2002 . 1 ) 

legal and ethical issues, information pri¬ 
vacy and security, transborder data 
flows, information accuracy and error 
handling, disaster planning and recovery, 

IS 2002.6 - Networks and Telecommunica¬ 
tion (Prerequisite: IS 2002.4) 

privacy, security, 

IS 2002.PO - Personal Productivity with IS 
Technology 

security, 

IS 2002.3 - Information Systems Theory 
and Practice (Prerequisite: IS 2002.1) 


© 2010 EDSIG 


http://isedj.org/8/52/ 


July 16, 2010 



ISEDJ 8 (52) 


Peslak 


4 


to introduce the societal implications of 
IS and related ethical issues 

to introduce and explore ethical concepts 
and issues relating to personal and pro¬ 
fessional behavior 

to introduce, compare, and contrast ethi¬ 
cal models and approaches 

to explore ethical and social analysis 
skills 

to consider the nature and existence of 
power 

ethical and legal principles and issues; 

ethical considerations of information sys¬ 
tems development, planning, implemen¬ 
tation, 

IS 2002.6 - Networks and Telecommunica¬ 
tion (Prerequisite: IS 2002.4) 

security, privacy, 

IS 2002.2 - Electronic Business Strategy, 
Architecture and Design (Prerequisite: IS 
2002 . 1 ) 

security 

Thus, the IS 2002 Model Curriculum included 
little emphasis on legal and regulatory as¬ 
pects of IT. Contrasting this with the draft 
Computing Curricula 2005 shows how dra¬ 
matically the need for legal and regulatory 
study has increased. The Computing Curricu¬ 
la 2005 includes five general computing cur¬ 
ricula information technology, information 
systems, software engineering, computer 
engineering, and computer science. In all 
these five areas and with 17 computing top¬ 
ics as a part of these programs, le¬ 
gal/professional/ethics/society is recognized 
as one of the highest importance topics 
across all five areas, as high as program¬ 
ming fundamentals in a software engineer¬ 
ing program and as high as computer archi¬ 
tecture and organization in a computer engi¬ 
neering program. This topic is defined as: 
Legal / Professional / Ethics / Society - The 
areas of practice and study within the com¬ 
puting disciplines that help computing pro¬ 
fessionals make ethically informed decisions 
that are within the boundaries of relevant 
legal systems and professional codes of con¬ 
duct. 

To remedy this shortcoming a comprehen¬ 
sive three-credit course was developed at 


our university, 1ST 452 - Legal and Regula¬ 
tory Environment of Privacy and Security (3) 
The short course description is, 1ST 452 
Legal and Regulatory Environment of Privacy 
and Security (3) Exploration of legal, regula¬ 
tory, public policy, and ethical issues related 
to security and privacy for information tech¬ 
nology professionals in public institutions, 
private enterprise, and IT services. (Penn 
State University, 2008) 

The course is further described in Appendix 
A. 

The text used for the course the first time it 
was taught was e-Commerce Law: Issues for 
Business, 1st Edition , John W. Bagby - 
Pennsylvania State University, ISBN-10: 
0324106793 ISBN-13: 9780324106794, 
600 Pages. The text was used as a general 
guide for the course and also the source for 
some of the case analyses and discussion. 
Unfortunately this text is now out of print. 
We are searching for a new text. 

The course was taught at our campus by a 
single instructor over two terms. The aver¬ 
age size of the c;lass was 20 and all work 
was individual with major in-class discussion 
among all participants. 

2. BLOG 

One of the major elements of the course was 
the creation of a course blog. The syllabus 
included the following; 

"The course will involve creation of a Blog 
that will serve as a comprehensive docu¬ 
mentation of our semester long exploration. 
Participation will be frequent and required. 
Grading will be based on the general grading 
rubric. There will be six blogs in the course 3 
each in the categories of course and case. 
Course or topic blog will be general defini¬ 
tions or specific research. Case will be 
thoughts and facts on specific IT law related 
cases." Thus, in addition to exploration of 
privacy and security topics, a second major 
blog was created to explore the review and 
opinions on case law relevant to privacy, 
security, and other IT law related topics. 
Many of these cases were found in the Bag¬ 
by text but others were based on indepen¬ 
dent student research. Permission was re¬ 
ceived by students to include their materials 
in the article as examples. 
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3. LITERATURE REVIEW 

There has been little pedagogical research 
on the content of the legal and regulatory 
environment of privacy and security. As well, 
there is little peer-reviewed pedagogical re¬ 
search done on privacy and security post¬ 
secondary education and most is focused 
solely on security issues. Hsu and Backhouse 
(2002) developed and proposed situated 
learning strategy to combine theory and 
practice in security education. 

Kim, Hsu, and Stern (2006) performed a 
study of topics in the IS2002 curriculum with 
real world IT professionals and found that 
overall the individual most critical IS/IT is¬ 
sue was security and disaster recovery. 
Crowley (2003) suggests a comprehensive 
IT computer security curriculum that in¬ 
cludes key knowledge and skills in "The cur¬ 
rent Information Systems Security regulato¬ 
ry and legal environment. Contemporary 
issues in computer security regulations and 
laws, including: Contract law Intellectual and 
other property law Criminal law Constitu¬ 
tional law Liability law Regulatory law. Prin¬ 
cipal ethical issues with relationship to legal 
standards. Distinguish the legal issues in an 
information architecture that can be ana¬ 
lyzed by a computer security professional 
from those that require an attorney." 

Kim and Surendran (2001) prepared a curri¬ 
culum for information security manager that 
includes security requirements as well as 
security policy. Kroger and Sena (2002) pre¬ 
pared a comprehensive MBA course in "eth¬ 
ics, security, and privacy". The MBA course 
in ethics, security, and privacy suggested by 
Kroger and Sena (2002) starts with the Con¬ 
stitution and works through HIPAA as "the 
most significant example of an implementa¬ 
tion of ethics, security, and privacy togeth¬ 
er." Other articles compare academic and 
government security standards (Carlin, Curl, 
and Manson, 2003), implementation of com¬ 
puter forensics in the classroom (2005), se¬ 
curity issues associated with videocams 
(Beise, 2005), the inclusion of international 
components in security (2006), phishing 
(Frank and Werner, 2007), and mobile com¬ 
puting security in curriculum (Molluzzo and 
Lawler, 2007). 

Overall, our course was designed to be an 
active, participatory course which explored 
all areas of IT privacy and security laws and 


regulations. The course relied on active re¬ 
search and class participation. The syllabus 
noted: 

"This course will be unlike all other courses 
in 1ST. It will require significant critical 
thinking, problem solving, and written and 
oral communications. The course will involve 
creation of blogs that will serve as a com¬ 
prehensive documentation of our semester 
long exploration. There will be significant 
required discussion to fully develop our criti¬ 
cal thinking and communication skills." 

This manuscript will define the major privacy 
and security areas covered in the course as 
well as inclusion of some of the annotated 
blog entries to both show the type of inte¬ 
raction which was generated as well as to 
serve as a general overview of the topic. 

4. PRIVACY DEFINITION 

The course began with an exploration and 
discussion of the term privacy in the infor¬ 
mation technology area. After a preliminary 
discussion of privacy and the Warren and 
Brandeis(1892) definition of privacy as the 
right to be left alone, as well as other com¬ 
mon definitions, we started our first active 
research assignment. Our very first assign¬ 
ment was to search for a definition of priva¬ 
cy. Responses ranged from dictionary defini¬ 
tions to journals and vendor sites but overall 
the exploration and review of the blog pro¬ 
vided a consensus on a starting point for our 
course. Example student response excerpts 
(in italics) will be shown for many of our ma¬ 
jor topics. Much more detail of these student 
responses is presented in Appendix B by 
topic. A responses for the privacy definition 
included: 

"People often think of privacy as some kind 
of right. Unfortunately, the concept of a 
'right' is a problematical way to start, be¬ 
cause a right seems to be some kind of ab¬ 
solute standard. What's worse, it's very easy 
to get confused between legal rights, on the 
one hand, and natural or moral rights, on 
the other. It turns out to be much more use¬ 
ful to think about privacy as one kind of 
thing (among many kinds of things) that 
people like to have lots of. Privacy is the in¬ 
terest that individuals have in sustaining a 
'personal space', free from interference by 
other people and organisations. 4 demens- 
tions of privacy: privacy of the person priva- 
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cy of personal behaviour privacy of personal 
communications privacy of personal data" - 
Roger Clarke 

http://www.anu.edu.au/people/Roger.Clarke 
/D V/In tro. h tmi#Pri v 

5. PRIVACY AND MEDIA BASED ON 
WARREN AND BRANDEIS (1892) 
CONCEPTS 

A specific assignment was to review Warrren 
and Brandeis privacy concepts in light of the 
current media environment. Each concept 
from the Warren and Brandeis was pre¬ 
sented first and then discussed in light of 
present day media coverage. 

1. The right to privacy does not prohibit any 
publication of matter which is of public or 
general interest. "Chris Brown hit a female in 
a club. Typically the newspapers protect the 
identity as they would any victim of domes¬ 
tic violence. The LA Times decided to run her 
name as the victim of the crime." 
http://www. feministing. com/archives/01363 
4.html 2. The right to privacy does not pro¬ 
hibit the communication of any matter, 
though in its nature private, when the publi¬ 
cation is made under circumstances which 
would render it a privileged communication 
according to the law of slander and libel. 
"Defense Secretary Robert Gates ordered a 
review of a Pentagon policy banning media 
from taking pictures of flag-draped coffins of 
military dead, signaling he was open to 
overturning the policy to better honor fallen 
soldiers." 

http ://www. google, com/hostednews/ap/artic 
le/ALeqM5iAudWAbfbRQ8W4w9LB2B9Bti_z 
QD968UAPG0 4. The right to privacy ceases 
upon the publication of the facts by the indi¬ 
vidual, or with his consent. Any person who 
publishes an autobiography. 

After establishing the concept of privacy, we 
next explored the different types of laws. 
After a brief lecture, students were asked to 
find specific definitions and explanations of 
each type of law. Several students were as¬ 
signed to each type of law and one answer is 
included below in italics. 

6. TYPES OF LAW 

Based on the Bagby text, the five general 
areas of law were explored: Criminal, Com¬ 
mon, Procedural, Substantive, and Civil. 


Substantive law defines how the facts in the 
case will be handled, as well as how the 
crime is to be charged. In essence, it deals 
with the "substance" of the matter. Substan¬ 
tive law refers to the body of rules that de¬ 
termine the rights and obligations of individ¬ 
uals and collective bodies. Source: 
http://criminal-law.freeadvice.com/criminal- 
law/proceduraLsubstantive.htm and 

http://legal-dictionary.thefreedictionary 
. com/substan ti ve+iaw 

7. CONSTITUTION AND BILL OF 
RIGHTS 

The cornerstone of privacy and security in 
the US is the Constitution and the first ten 
amendments known as the Bill of Rights. 
Many constitutional clauses and amend¬ 
ments were discussed including free speech, 
the commerce and contract clauses, and 
other articles. Some of the postings in this 
area are below. 

IN 1971, PRESIDENT RICHARD M. NIXON'S 
ADMINISTRATION unsuccessfully tried to 
stop The New York Times from publishing a 
classified history of the Vietnam War known 
as the Pentagon Papers. In the process, the 
Supreme Court established that the First 
Amendment prohibits government censor¬ 
ship of the press in almost every situation. 
The First Amendment also protects press 
freedoms by making it exceptionally difficult 
for government officials and other public 
figures to win libel suits. (Libel is the publi¬ 
cation of knowingly false statements that 
injure a person's reputation, the written 
form of slander.) If it were easy to sue for 
libel, the Supreme Court has reasoned, pub¬ 
lic figures could use lawsuits to keep the 
press from aggressively reporting the news, 
h ttp ://findarticles. com/p/articles/mi_ mOBUE 
/is_3_ 139/ai_nl 7214796/pg_2?tag =artBody 
;coll Nixon tried to interfere with a NY times 
publication and was overruled by the su¬ 
preme court. This was largely attributed to 
the rights the NY times has under the 1st 
amendment against government censorship. 

The Commerce Clause of the Constitution 
gives the government - the power to regu¬ 
late; that is, to prescribe the rule by which 
commerce is to be governed. 

The Contract Clause of the Constitution - 
protects agreements whereby two parties 
bind themselves to certain obligations. 
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The First Amendment of the Constitution 
prohibits the United States from making 
laws infringing on free speech, religion, the 
press or restricting the right of a peaceful 
assembly or petition. One of the first cases 
we explored was Netscape vs. Specht which 
was illustrated in the Bagby text but also 
available in Wikipedia.org and along many 
other cases which can be found in 
http://itlaw.wikia.com 

1. Key issues: - Are software license agree¬ 
ments binding or nonbinding? - User was not 
adequately notified of the agreement. 2. De¬ 
cision For the agreement to be binding there 
must be mutual consent on behalf of both 
parties. 3. Alternatives First and foremost, 
Netscape could have charged for their ser¬ 
vice and, in charging, display to the user a 
more readily available end-user agreement 
which would not be as elusive as the pre¬ 
vious agreement was. 

Other cases included Reno v. Condon, Hiibel 
v. Sixth Judicial District Court of Nevada, 
and Hepting et al. v. AT & T Corp 

8. COPYRIGHT, TRADEMARKS, 
PATENTS, TRADE SECRETS 

The importance of understanding patents, 
copyrights, and trade secrets is reinforced 
by a current article in CIO magazine (Rad- 
cliffe and Rosen, 2003). 

Copyright - form of protection provided by 
United States laws to original authors of 
original works of authorship (literary, dra¬ 
matic, musical, artistic, and other intellectual 
works). 

According to the government, trademarks 
include any word, name, symbol, or device, 
or any combination, used, or intended to be 
used in commerce to identify and distinguish 
the goods of one manufacturer or seller from 
goods manufactured or sold by others, and 
to indicate the source of the goods. Several 
students discussed specific trademark cases. 

In addition, trade secrets and patents were 
discussed. According to the government, a 
patent for an invention is the grant of a 
property right to the inventor, issued by the 
United States Patent and Trademark Office. 
Generally, the term of a new patent is 20 
years from the date on which the application 
for the patent was filed in the United States 
or, in special cases, from the date an earlier 


related application was filed, subject to the 
payment of maintenance fees. Trade secrets 
are not registered with the patent office and 
are internal secrets kept by a company. 
They have no specific protection but also no 
specific expiration. 

9. THE DIGITAL MILLENNIUM 

COPYRIGHT ACT - DMCA 

The Digital Millennium Copyright Act (DMCA) 
is a United States copyright law which im¬ 
plements two 1996 WIPO treaties. It crimi¬ 
nalizes production and dissemination of 
technology, devices, or services that are 
used to circumvent measures that control 
access to copyrighted works (commonly 
known as DRM) and criminalizes the act of 
circumventing an access control, even when 
there is no infringement of copyright itself. It 
also heightens the penalties for copyright 
infringement on the Internet. (Wikipedia, 
2008, DMCA) Several cases that explore the 
reach of DMCA were posted. 

The RIAA subpoenaed Verizon demanding 
that Verizon reveal people who use or have 
used KazAa for music and file sharing. Veri¬ 
zon refused saying that the provision didn't 
cover possible copyright-infringing material 
that resides on individuals' own computers, 
only material that resides on an ISP's own 
computer. The courts agreed with Verizon 
and they were not required to give any in¬ 
formation regarding people who used Peer to 
Peer filesharing software. Sources: 
http://www. eff. org/related/376/case 

10.HEALTH INSURANCE 
PORTABILITY AND 
ACCOUNTABILITY ACT - HIPAA 

Breaux and Anton (2008) provide a frame¬ 
work for "analyzing regulatory rules for pri¬ 
vacy and security" and use HIPAA (US 
Health Insurance Portability and Accountabil¬ 
ity Act) as an example, breaking down the 
act into specific components and require¬ 
ments. They note that HIPAA is one of the 
most important laws regarding privacy as 
the" 10-year cost to comply with HIPAA for 
the healthcare industry is projected by in¬ 
dustry and government stakeholders to be 
between $12-42 billion". There are two gen¬ 
eral rules associated with HIPAA - privacy 
and security. Privacy Rule - established min¬ 
imum federal standards for protecting the 
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privacy of individually identifiable health in¬ 
formation. Security Rule - measures a 
healthcare entity must take to protect per¬ 
sonal health information from unauthorized 
breaches of privacy. Example postings in¬ 
clude: 

In July of 2008, a Seattle health provider 
was fined $100,000 and forced to create a 
corrective action plan after losing backup 
media and laptops containing records from 
2005 and 2006. The items lost include back¬ 
up tapes, optical discs, and unencrypted lap¬ 
tops. The information contained on the de¬ 
vices is personally identifiable and could 
have affected more than 360,000 patients. 
/Is a corrective action, the health provider 
must train employees how to safeguard in¬ 
formation and the facilities. According to the 
article, it appears that the government was 
stepping up enforcement as the agency 
could resolve problems last year rather than 
punish mistakes. 

httD://itknowledaeexchange. techtarget. com/ 

securitv-bvtes/hioaa-violations-cost-seattle- 

health-care-orovider/ 

11. PATRIOT ACT 

Regarding the PATRIOT Act, "Mark Corallo, a 
Justice Department spokesman, ...said the 
act has been "one of the most important 
tools Congress has given the government to 
fight terrorism and prevent terrorist acts." 
It is also one of the most important laws 
affecting privacy and security in the United 
States.(Garcia, 2004) 

A detailed review of the PATRIOT act was 
included in our course. The major provisions 
or "titles" are as follows: Titles I and X: Mis¬ 
cellaneous Provisions, Title II: Surveillance 
Procedures, Title III: Anti-money-laundering 
to Prevent Terrorism, Title IV: Border Secu¬ 
rity, Title V: Terrorism Investigation, Title 
VI: Victims and Families of Victims of Terror¬ 
ism, Title VII: Information Sharing for Infra¬ 
structure Protection,, Title VIII: Terrorism 
Criminal Law, Title IX: Improved Intelli¬ 
gence. Our assignment was to look at cur¬ 
rent developments in PATRIOT act interpre¬ 
tation. 

A ruling in 2007 in U.S. District Court says 
that agencies such as the FBI can no longer 
request that Internet and telephone compa¬ 
nies turn over the records of the customers 
without telling them and without eventually 


obtaining a court order. In short, this means 
that the agencies must show purpose for 
their seizure of records, whereas before their 
national security letters had protected them 
from basically almost any accountability. 
This ruling is important because it takes 
away the capabilities of the government to 
seize data without probable cause, thus fur¬ 
ther upholding the principles of the constitu¬ 
tion. 

http: //articles. Iatimes.com/2007/seo/07/nati 

on/na-patriot7 

12. SURVEILLANCE/ANTI¬ 
TERRORISM IN OTHER NATIONS 

Surveillance and Anti-terrorism laws and 
regulations in many other nations were ex¬ 
plored. An example was New Zealand. 

The interception of telecommunication is 
governed by many laws in New Zealand in¬ 
cluding the Telecommunications Act, Gov¬ 
ernment Communications Security Bureau 
Act, international Terrorism Act, Misuse of 
Drugs Amendment Act, New Zealand Securi¬ 
ty Intelligence Service Act, and Crimes Act. 

13. INTERNET SAFETY ACT 

A new proposed act, the Internet Safety Act 
was explored in 2009. 

The Internet Safety Act is aimed at every¬ 
one. Its purpose is to have data just in-case 
someone breaks a law. The law would reach 
everyone from the giant corporate ISPs right 
down to a single private citizen who has a 
password protected access point. Unlike 
phone carriers, they would have be required 
to store usage data for an extended amount 
of time. 

http://www.networkworld.eom/news/2009/0 
22109-proposed-law-might-make-wi- 
fi.html?page=2 

14. FTC, PRIVACY POLICIES AND 
FAIR INFORMATION PRACTICE 
GUIDELINES 

Fair Information Practices as promulgated by 
the FTC play an important role in online pri¬ 
vacy. 

"Over the past quarter century, government 
agencies in the United States, Canada, and 
Europe have studied the manner in which 
entities collect and use personal information 
-- their "information practices" — and the 
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safeguards required to assure those practic¬ 
es are fair and provide adequate privacy 
protection. The result has been a series of 
reports, guidelines, and model codes that 
represent widely-accepted principles con¬ 
cerning fair information practices. Common 
to all of these documents [hereinafter re¬ 
ferred to as "fair information practice 
codes"] are five core principles of privacy 
protection: (1) Notice/Awareness; (2) 

Choice/Consent; (3) Access/Participation; 
(4) Integrity/Security; and (5) Enforce¬ 
ment/Redress." (FTC, 2000) Students re¬ 
viewed the policies and were asked to write 
sample company privacy policies. 

15. UNITED STATES VS. EUROPEAN 

FAIR INFORMATION AND 
PRACTICES 

The differences between the United States 
Fair Information Practices and those of the 
European Union were extensively discussed. 
Country implementations of the directive 
were explored. 

With the European Union Directive 95/46 
setting guidelines for maintaining privacy for 
user data, Germany passed its own law in 
2002 called the Data Protection Act. This act 
defines what constitutes data collection and 
processing, consent of the user whose data 
is being collected, acceptable transfer of the 
collected data, and the responsibilities of the 
individual, group, business, etc. that is col¬ 
lecting the data regarding maintaining ade¬ 
quate security. It also outlines the creation 
and maintenance of a security official who is 
held responsible for maintaining the data 
collected. This act is much more thorough 
than the EU Directive. 

http://www.bdd.de/Download/bdsg_eng.pdf 

16. SAFE HARBOR ACT FRAMEWORK 

The following areas were explored in the 
Safe Flarbor Act seven privacy principles, 15 
frequently asked questions and answers 
(FAQs), the European Commission's adequa¬ 
cy decision, the exchange of letters between 
the Department and the European Commis¬ 
sion, and letters from the Department of 
Transportation and FTC on their enforcement 
powers. 

The European Commission's Directive on 
Data Protection went into effect in October, 
1998, and would prohibit the transfer of per¬ 


sonal data to non-European Union nations 
that do not meet the European "adequacy" 
standard for privacy protection. While the 
United States and the European Union share 
the goal of enhancing privacy protection for 
their citizens, the United States takes a dif¬ 
ferent approach to privacy from that taken 
by the European Union. The United States 
uses a sectoral approach that relies on a mix 
of legislation, regulation, and self regulation. 
The European Union, however, relies on 
comprehensive legislation that, for example, 
requires creation of government data protec¬ 
tion agencies, registration of data bases with 
those agencies, and in some instances prior 
approval before personal data processing 
may begin. As a result of these different pri¬ 
vacy approaches, the Directive could have 
significantly hampered the ability of U.S. 
companies to engage in many trans-Atlantic 
transactions. In order to bridge these differ¬ 
ent privacy approaches and provide a 
streamlined means for U.S. organizations to 
comply with the Directive, the U.S. Depart¬ 
ment of Commerce in consultation with the 
European Commission developed a "safe 
harbor" framework. The safe harbor -- ap¬ 
proved by the EU in 2000— is an important 
way for U.S. companies to avoid experienc¬ 
ing interruptions in their business dealings 
with the EU or facing prosecution by Euro¬ 
pean authorities under European privacy 
laws. Certifying to the safe harbor will as¬ 
sure that EU organizations know that your 
company provides "adequate" privacy pro¬ 
tection, as defined by the Directive. (De¬ 
partment of Commerce, n.d.) 

17. SARBANES OXLEY ACT 

The Sarbanes Oxley Act which established 
new or enhanced standards for all U.S. pub¬ 
lic company boards, management, and pub¬ 
lic accounting firms in the aftermath of 
Enron and WorldCom scandals was also in¬ 
cluded in our course. 

Why didn't Sarbanes-Oxley prevent the sub¬ 
prime mortgage crisis? That is the unspoken 
question asked in a piece titled "Criminaliz¬ 
ing Capitalism" written by a Manhattan Insti¬ 
tute scholar, Nicole Gelinas. She reminds us 
that the legislation passed in the wake of the 
Enron scandal was meant to reform corpo¬ 
rate governance and head off punishing 
meltdowns of investor wealth. It hasn't. In¬ 
stead, what Sarbox did was to open the door 
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to excessive and sometimes careless crimi¬ 
nal prosecution of corporate wrongdoing. 
The savaging of AIG and of the now-defunct 
Arthur Anderson are cases in point. Accord¬ 
ing to Ms. Gelinas, the 20-year prison sen¬ 
tences available to prosecutors has created 
an environment of fear in the executive 
suite, which in turn has led to a wanton dis¬ 
regard for the rights of corporate defendants 
and, on occasion, flagrantly unfair treatment 
of companies and individuals. 
http://www.nysun.com/business/why- 
sarbanes-oxley-didnt-prevent-the-latest- 
crisis/71321/ 

18. UNIFORM COMPUTER 
INFORMATION TRANSACTIONS ACT 
- UCITA 

Students were asked to discuss pros and 
cons of the Uniform Computer Information 
Transactions Act, a proposed law to create a 
clear and uniform set of rules to govern such 
areas as software licensing, online access, 
and other transactions in computer informa¬ 
tion. 

http://www.aaxnet.com/topics/ucita.html 
This website basically breaks down each part 
of this act that is being proposed. Some of 
the most interesting things about this that I 
found, and some of the more unsettling 
parts of it, were that if it were passed, you 
would be prohibited from selling a PC with 
any software on it. If you were selling a win- 
dows-based PC, you would have to unistall 
the operating system before you sold it, oth¬ 
erwise it would be illegal. Another interesting 
part of it is that it would make it illegal to 
talk smack about any piece of software from 
any manufacturer. For instance, if you had a 
piece of software installed on your system 
and it didn't work, and you could prove it 
didn't work, and you talked smack about it, 
you could be sued by the company that 
manufactured that piece of software (a sort 
of slander similarity). I think this act is bad 
news all around and should not be passed. I 
can't believe that it would even uphold any 
challenges to it. 

19. CAN-SPAM 

The CAN-SPAM Act of 2003 (Controlling the 
Assault of Non-Solicited Pornography and 
Marketing Act) establishes requirements for 
those who send commercial email, spells out 


penalties for spammers and companies 
whose products are advertised in spam if 
they violate the law, and gives consumers 
the right to ask emailers to stop spamming 
them. (FTC, n.d.). One of our exercises was 
to argue pro and con on the CAN-SPAM act. 

20. FAIR USE 

Under limited circumstances a copyrighted 
work can be used by another. This is called 
fair use and was a week's topic. Included in 
the cases were Field v. Google Inc, Camp¬ 
bell v. Acuff-Rose Music, Eloise Toby Marcus 
v Shirley Rowley and San Diego Unfiled 
School District, Grand Upright Music, Ltd. v. 
Warner Bros. Records, Inc., Castle Rock En¬ 
tertainment, Inc. v. Carol Publishing Group, 
Inc , Basic Books, Inc. v. Kinko's Graphics, 
Rogers v. Koons, Flarper & Row v. Nation 
Enterprises, Higgins v. Detroit Educational 
Television Foundation. Fair use was exten¬ 
sively discussed including the Obama Hope 
poster. 

21. FAIR CREDIT REPORTING ACT - 
FCRA 

"The Fair Credit Reporting Act (FCRA) is a 
federal law that regulates how credit report¬ 
ing agencies use your information. Enacted 
in 1970 and substantially amended in the 
late 1990s and again in 2003, the FCRA re¬ 
stricts who has access to your sensitive cre¬ 
dit information and how that information can 
be used." (Equifax, 2007) 

http://www.eguifax.com/cs/Satellite7paqena 

me=elearninq credit!4 

Cases included Killingsworth v. HSBC Bank 
Nevada, Maria et al v. Apple Computer, Inc, 
Heather Gillespie and Angela Cinson v. Equi¬ 
fax Information Services, L.L.C. and Expe- 
rian vs. LifeLock Lawsuit. 

Again, permission was received by students 
to include their materials in the article as 
examples. 

22. CONCLUSION 

The result of the course was very favorable. 
The active research approach and use of 
Web 2.0 tools especially blogs has been met 
with enthusiasm in our class this past seme¬ 
ster. This is a typical response to the overall 
course survey. "Overall this was a very in¬ 
teresting and informative class. The topics 
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we covered are all issues that at some point 
in our professional careers we will encoun¬ 
ter. This class will prepare us to better deal 
with issues we encounter regarding legali¬ 
ties, or at least lend us the resources to be 
able to find ways to better deal with these 
issues." 
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APPENDIX A 


Full Course Description 

"1ST 452 Legal and Regulatory Environment of Privacy and Security (3) Institutional 
constraints on security historically focused on traditional criminal enforcement and a slow but 
steady increase in civil remedies through the twentieth century. Professional security protec¬ 
tion could satisfy reasonable assurance criteria by managing legal and regulatory risks based 
on commonly-held understandings of burglary, theft, conversion and widely-understood but 
related institutional constraints in the protection of physical property. This focus retained ef¬ 
fectiveness so long as physical security over tangible property appeared successful, even ex¬ 
tending to the maintenance of control over mainframe computers and their peripherals. How¬ 
ever, the proliferation of networked computers has made access and storage ubiquitous, vast¬ 
ly increasing the vulnerability of confidential data, private information and critical national se¬ 
curity infrastructure. Security and privacy regulation compliance responsibility now falls much 
more harshly on both organizations and most of their individual personnel. These complex new 
duties constrain organizations in the data management industry as well as suppliers and users 
of data and all participants in the information supply chain, including consultants, software 
suppliers, applications service providers, maintenance, outsourcing and communications pro¬ 
viders. 

Other factors exacerbate these liability risk management difficulties. Advances in network 
computer storage and use, the broadening perception of heightened value of information and 
the pervasive availability of rich data warehousing increase the vulnerability of data manage¬ 
ment. Risks of information theft and integrity losses as well as the explosion of privacy rights 
and national security concerns now require pervasive and fuller understanding of liability risk 
management principles/techniques among all managers and subordinates in the data man¬ 
agement industry and in government. Information suppliers, handlers, owners and network 
service providers are increasingly exposed to civil litigation, regulatory oversight/compliance 
and criminal prosecution for various information-related wrongs. For example, confidentiality 
is compulsory for corporate trade secrets, privacy is required for personally identifiable infor¬ 
mation about individuals and secrecy is mandatory over matters of national security; all of 
which create complex legal duties that are fundamentally driving the design of information 
handling processes. This course surveys legal and regulatory constraints on information secu¬ 
rity and privacy practices." (Penn State University, 2008) 
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APPENDIX B 


Further Student Responses 

Privacy definition 

Privacy Definition In general, the right to be free from secret surveillance and to determine 
whether, when, how, and to whom, one's personal or organizational information is to be re¬ 
vealed. In specific, privacy may be divided into four categories (1) Physical: restriction on oth¬ 
ers to experience a person or situation through one or more of the human senses; (2) Infor¬ 
mational: restriction on searching for or revealing facts that are unknown or unknowable to 
others; (3) Decisional: restriction on interfering in decisions that are exclusive to an entity; (4) 
Dispositional: restriction on attempts to know an individual's state of mind, 
http ://www. businessdictionary. com/definition/privacy, html 

I found a couple of different ones that I like: In the 1890s, future United States Supreme 
Court Justice Louis Brandeis articulated a concept of privacy that urged that it was the individ¬ 
ual's "right to be left alone." Brandeis argued that privacy was the most cherished of freedoms 
in a democracy, and he was concerned that it should be reflected in the Constitution Robert 
Ellis Smith, editor of the Privacy Journal, defined privacy as "the desire by each of us for phys¬ 
ical space where we can be free of interruption, intrusion, embarrassment, or accountability 
and the attempt to control the time and manner of disclosures of personal information about 
ourselves." According to Edward Bloustein, privacy is an interest of the human personality. It 
protects the inviolate personality, the individual's independence, dignity and integrity. Accord¬ 
ing to Ruth Gavison, there are three elements in privacy: secrecy, anonymity and solitude. It 
is a state which can be lost, whether through the choice of the person in that state or through 
the action of another person. The Calcutt Committee in the United Kingdom said that, "no¬ 
where have we found a wholly satisfactory statutory definition of privacy." But the committee 
was satisfied that it would be possible to define it legally and adopted this definition in its first 
report on privacy: The right of the individual to be protected against intrusion into his personal 
life or affairs, or those of his family, by direct physical means or by publication of information. 
The Preamble to the Australian Privacy Charter provides that, "A free and democratic society 
requires respect for the autonomy of individuals, and limits on the power of both state and 
private organizations to intrude on that autonomy...Privacy is a key value which underpins 
human dignity and other key values such as freedom of association and freedom of 
speech...Privacy is a basic human right and the reasonable expectation of every person." /As¬ 
pects of Privacy Privacy can be divided into the following separate but related concepts: In¬ 
formation privacy, which involves the establishment of rules governing the collection and han¬ 
dling of personal data such as credit information, and medical and government records. It is 
also known as "data protection"; Bodily privacy, which concerns the protection of people's 
physical selves against invasive procedures such as genetic tests, drug testing and cavity 
searches; Privacy of communications, which covers the security and privacy of mail, tele¬ 
phones, e-mail and other forms of communication; and Territorial privacy, which concerns the 
setting of limits on intrusion into the domestic and other environments such as the workplace 
or public space. This includes searches, video surveillance and ID checks. Source 
http://www.privacyinternatlonal.org/survey/phr2003/overview.htm 

Privacy and media based on Warren and Brandeis (1892) concepts 

1. Example of right to privacy does not prohibit publication of what is considered to be of pub¬ 
lic or general Interest: Casey Anthony, charged with her daughter's murder, has had all of her 
visits with family members through a jail telephone videotaped and then released to the me¬ 
dia. 2. Example of right to confidential information: Presidents are required to release their 
health records to the public and must reasonably notify the public of such events (such as if a 
President is going to be incapacitated because of a colonoscopy) the nation is notified that the 
Vice President will briefly assume duties. 3. Privacy with content example: When you are ad¬ 
mitted to a hospital, in accordance with HIPAA, they ask if someone calls the hospital and asks 
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if you are here or for your room number if the hospital could confirm this to the person who 
called. If you say yes, they can let others know, you have waived this right to privacy. 

1. Libel and Slander Stemming from a case in which an elected official in Montgomery, Ala., 
complained of defamation by civil-rights activists, the court ruled that to protect the free flow 
of speech and opinions, public officials could only collect damages for libel if falsehoods were 
made with "reckless disregard" for the truth. 

Types of Law 

Based on the Bagby text, the five general areas of law were explored: Criminal, Common, Pro¬ 
cedural, Substantive, and Civil. 

Procedural law is law describing how substantive law is enforced by entailing the formal steps 
which must be taken to enforce legal rights. This includes things like jurisdiction, jury selec¬ 
tion, counsel, as well as post-trial aspects such as appeals and enforcement of punishments, 
http ://la w.jrank. org/pages/9455/Procedural-La w.html 
http://www.answers.com/topic/procedural-law 

http://topics.law.cornell.edu/wex/Criminal_iaw criminal law: an overview Criminal law involves 
prosecution by the government of a person for an act that has been classified as a crime. Civil 
cases, on the other hand, involve individuals and organizations seeking to resolve legal dis¬ 
putes. In a criminal case, the state, through a prosecutor, initiates the suit, while in a civil 
case the victim brings the suit. Persons convicted of a crime may be incarcerated, fined, or 
both. However, persons found liable in a civil case may only have to give up property or pay 
money, but are not incarcerated. 

Common law A system of law that is derived from judges' decisions (which arise from the judi¬ 
cial branch of government), rather than statutes or constitutions (which are derived from the 
legislative branch of government). 

http://www.ll.georgetown.edu/tutorials/definitions/common_law.html The common law is 
more maileable than statutory law. First, common law courts are not absolutely bound by 
precedent, but can (when extraordinarily good reason is shown) reinterpret and revise the 
law, without legislative intervention, to adapt to new trends in political, legal and social philos¬ 
ophy. Second, the common law evolves through a series of gradual steps, that gradually 
works out all the details, so that over a decade or more, the law can change substantially but 
without a sharp break, thereby reducing disruptive effects. In contrast, the legislative process 
is very difficult to get started, and legislatures tend to delay acting until a situation is totally 
intolerable. For these reasons, legislative changes tend to be large, jarring and disruptive (ei¬ 
ther positively or negatively). http://en. wikipedia.org/wiki/Common_law 

Constitution and Bill of Rights 

The Commerce Clause of the Constitution gives the government - the power to regulate; that 
is, to prescribe the rule by which commerce is to be governed. 

Wabash, St. Louis & Pacific Railway Co. v. Illinois Citation: 118 U.S. 557 (1886) Concepts: 
Individual Property Rights v. State Rights/Commerce Clause Facts An Illinois statute imposed 
a penalty on railroads that charged the same or more money for passengers or freight shipped 
for shorter distances than for longer distances. The railroad in this case charged more for 
goods shipped from Gilman, Illinois, to New York, than from Peoria, Illinois, to New York, when 
Gilman was eighty-six miles closer to New York than Peoria. The intent of the statute was to 
avoid discrimination against small towns not served by competing railroad lines and was ap¬ 
plied to the intrastate (within one state) portion of an interstate (two or more states) journey. 
Issue Whether a state government has the power to regulate railroad prices on that portion of 
an interstate journey that lies within its borders. Opinion The Supreme Court of the United 
States held the Illinois statute to be invalid and that the power to regulate interstate railroad 
rates is a federal power which belongs exclusively to Congress and, therefore, cannot be exer¬ 
cised by individual states. The Court said the right of continuous transportation from one end 
of the country to the other is essential and that states should not be permitted to impose re¬ 
straints on the freedom of commerce. In this decision, the Court gave great strength to the 
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commerce clause of the Constitution by saying that states cannot impose regulations concern¬ 
ing price, compensation, taxation, or any other restrictive regulation interfering or seriously 
affecting interstate commerce, http://www.tourolaw.edu/patch/casesummary.asp 

The Contract Clause of the Constitution - protects agreements whereby two parties bind 
themselves to certain obligations. 

Peevyhouse v. Garland Coal & Mining Co., (1962) 2. Facts: Peevyhouse leased part of their 
farm to Garland Mining for strip mining of coal. The express written contract stated that one of 
the terms of the contract was that Garland smooth out the land once it was done strip mining. 
After all the mining was done, Garland refused to smooth out the land, and Peevyhouse sued 
for the cost of completion of moving the dirt back, which was estimated at $29,000. However, 
Peevyhouse's farm was only worth less than $5,000, and the increase in value of the farm 
would only be $300 if the dirt were to be smoothed out. The trial jury returned a verdict of 
$5,000 which did not match either party's theory of damages. 3. Nature of the Risk: The far¬ 
mer risked that he could make more money if he leased his farm to someone else. The miner 
risked that he could make more money if he leased a different farm for strip mining. 4. Issue: 
Is the proper measure of damages the cost of completing the terms of the contract, even 
though they outweigh the value of performance significantly? 5. Holding: No. Where the cost 
of completion of a contract is disproportionate to the "end to be attained" the proper measure 
of damages is the difference in value if the contract were fully performed. 6. Reasoning: The 
majority reasoned that the farmer would unlikely be willing to pay $29,000 to make improve¬ 
ments to his property that would increase its value only $300. So to award him the $29,000 
would be a windfall. Thus, the primary purpose of the contract was to recover coal from the 
ground to the benefit of both parties, not to regrade the land. 
http://www.lectlaw.com/files/lws49.htm 

The Digital Millennium Copyright Act 

Summary-.Three software programmers who created the BNETD game server (using an open 
source program), which allowed users to play Blizzard games online with other gamers without 
the use of Blizzard's Battle.net service, were accused of being in violation of of the DMCA and 
Blizzards EULA by circumventing the software to allow the play on non-Blizzard servers. The 
programmers argued that they should be allowed to create free software to allow people to 
use commercial products because it was beneficial to the consumer and spawned innovation. 
It was ruled, however, that the reverse engineering and emulation of Blizzards's software was 
illegal and in violation of the DMCA, http://www.eff.org/cases/blizzard-v-bnetd 

Health Insurance Portability and Accountability Act 

Basically Cl/S got lazy and just threw away their patients empty bottles in the regular garbage 
can so anyone could have access to it and now they are paying for it. They said that the em¬ 
ployees weren't properly trained on how to dispose of them. Here's the facts: Cl/S will pay the 
government $2.5 million and toughen their practices so that the privacy of patients is not vi¬ 
olated. The settlement which applies to all Cl/S retail pharmacies is in response to the HHS 
Office of Civil Rights (OCR) and their extensive investigation concerning HIPAA violations. In a 
coordinated action, CVS also signed a consent order with the FTC to settle potential violations 
of the FTC Act. OCR opened an investigation in response to media reports that alleged that 
patient information maintained by the pharmacy chain was being disposed of in industrial 
trash containers outside selected stores and were not secure and could be accessed by the 
public. According to the information, CVS also failed to adequately train employees on how to 
dispose of such information properly. At the same time, FTC also opened an investigation of 
Cl/S and this resulted in both agencies working to coordinate the investigation. Under the HHS 
resolution agreement, CVS agreed to pay the $2.25 million and implement a robust corrective 
action plan. Cl/S will also actively monitor its compliance and the FTC consent order. The mon¬ 
itoring requirement specifies that CVS must engage a qualified independent third party to as¬ 
sess CVS compliance and then submit reports to the federal agencies. The HHS corrective ac¬ 
tion plan will be in place for three years while the FTC plan will be monitored for 20 years. 
Source: http://telemedicinenews.blogspot.com/2009/02/hipaa-case-settled.html 
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Patriot Act 

Summary: In Sept of 2004, a federal judge in New York ruled that the component of the PA¬ 
TRIOT Act which allows the FBI to demand information from ISP's is unconstitutional as it does 
not allow for judicial oversight or public review. The case was originally filed by the ACLU on 
behalf of an unnamed ISP which challenged a NSL which demanded the information. The judge 
ordered the Justice Dept to halt the use of NSL's, however he provided a 90 injunction to allow 
for an appeal. Since NSL's are still in use...my guess is the Government won the appeal. 
http ://www. washinotonDOSt.com/wD-dvn/articles/A59626-2004Seo29.html 

A man and his daughter were looking at stars and temporarily blinded the pilot and co-pilot of 
an airplane with a laser beam for the telescope. Authorities used the Patriot Act to charge the 
man with interfering with the operator of a mass transportation vehicle and making false 
statements to the FBI. He was the first person arrested after a recent rash of reports around 
the nation of laser beams hitting airplanes. Source: 

ttp://www.foxnews. com/story/0,2933,143371,00.html September 7, 2007 

NEW YORK - A federal court today struck down the amended Patriot Act's National Security 
Letter (NSL) provision. The law has permitted the FBI to issue NSLs demanding private infor¬ 
mation about people within the United States without court approval, and to gag those who 
receive NSLs from discussing them. The court found that the gag power was unconstitutional 
and that because the statute prevented courts from engaging in meaningful judicial review of 
gags, it violated the First Amendment and the principle of separation of powers.] 
http://www.aclu-mn.org/home/news/courtstrikesnationalsecuri.htm This article goes on to tell 
that in the case Doe v. Gonzales which was originally filed in 2004 on behalf of an anonymous 
Internet access company a National Security Letter was received. The presiding judge, Marre¬ 
ro struck down the gag orders issued by the government to the website stating that the Gag 
was unconstitutional. The article reviews several other interesting cases regarding this. Very 
good read! 

Surveillance/Anti-terrorism in other nations 

Spain - Secret military telecommunications interception stations in Madrid, Conit de la Fronte- 
ra, Gibraltar and Rota [It is significant that the station is run by the military. The former Span¬ 
ish intelligence agency (CESID) was run by the military, and was recently replaced by a civi¬ 
lian agency, the CNI (National Intelligence Centre, see Statewatch vol 11 no 3 & 4). This 
change was partly motivated by a lack of accountability, and of a clear legal basis for intercep¬ 
tion, that resulted in the illegal interception of Spanish citizens in the past. The CNI is subject 
to interception guidelines requiring a judicial warrant for the interception of communications 
involving Spanish citizens, which are protected from interference by the Spanish constitution, 
although telephone tapping was not regulated until the new law was passed last year.] 

http://www.statewatch.Org/news/2004/aug/l Ospain-gib-comint.htm 

In 1975 Telecommunication tactics were taken by the Spanish government, though they were 
kept secret and there was no law governing them. The CESID or Spanish Intelligence Agency 
was monitoring telecommunication lines of Spanish citizens. Spanish citizens are protected 
from this interference under their constitution. Santiago programme has taken over for the 
CESID as of 2008 and are now in charge of these internal affairs. 

I guess before this law was passed it was illegal for any agency to use wiretapping in Japan. It 
was passed in 1999 but was enacted in 2000 because of the massive amount of amendments. 
"The law permits the law enforcement agencies (LEAs) to intercept communications on phone, 
fax, and the Internet in criminal cases involving organized murder, illicit firearms trade, drug 
trafficking, and smuggling of illegal immigrants into Japan. However, the communications of 
doctors, lawyers, and religious leaders cannot be intercepted under the law and media com¬ 
munications can only be intercepted under certain conditions. The law also directs ISPs to 
maintain a log of all the Internet communications that are monitored at any time." Only Police 
officers that are superintendent and above can execute wiretapping upon receipt of an autho¬ 
rized warrant. The law also requires the presence of a third-party non-police witness, such as 
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an employee of either the communication service provider or regional government, for moni¬ 
toring the wiretapping process. In addition, LEAs are required to notify individuals (whose 
communications have been intercepted) within 30 days of concluding the investigation and all 
documents pertaining to the communication must be destroyed thereafter. The law does not 
define the devices or surveillance tools that can be used for lawful interception 

Internet Safety Act 

This act states that it will require all Internet providers and operators of millions of Wi-Fi 
access points, even hotels, local coffee shops, and home users, to keep records about users 
for two years to aid police investigations. I think that this would be ideal for all business but to 
bring it into a home I think would violates someones privacy. One thing that I wonder is who 
and where would this be stored and who would be responsible for keeping it. My grandfather 
wouldn't be able to do this and he has a WLAN set up in his house. Source: 
http://news.cnet.com/8301-13578_3-10168704-38.htmt 

An incredibly interesting feature of the Internet Safety Act is the current proposed wording in 
terms of keeping logs to help prevent child pornography. While it is probably a good (but 
questionable) idea for the ISPs to keep logs of what users access, it will also require all pro¬ 
viders of access points to keep logs of user activity. This is excessive because many users of 
wifi, especially home users like myself, is pretty much beyond the realm of understanding of 
most end users. Overall, I know that an act like this could help kids be safer online, but the 
most effective method would be for parents to start doing their jobs. Either way, I would con¬ 
sider myself an advanced user and I don't see how even people on my level could effectively 
keep logs. Also, what if back up systems fail? That happens all the time! 
http://www.thetechherald.eom/article.php/200908/2998/Opinion-Internet-SAFETY-Act- 
%E2%80%93-you-ITneed-to-keep-your-logs-or-go-to-jail 

United States vs. European Fair Information and Practices 

With the European Union Directive 95/46 setting guidelines for maintaining privacy for user 
data, Germany passed its own law in 2002 called the Data Protection Act. This act defines 
what constitutes data collection and processing, consent of the user whose data is being col¬ 
lected, acceptable transfer of the collected data, and the responsibilities of the individual, 
group, business, etc. that is collecting the data regarding maintaining adequate security. It 
also outlines the creation and maintenance of a security official who is held responsible for 
maintaining the data collected. This act is much more thorough than the EU Directive. 
http://www.bdd.de/Download/bdsg_eng.pdf 

Sarbanes Oxley Act 

FEI Survey: Average 2007 SOX Compliance Cost $1.7 Million 
-Audit Fees Show Slight Increase to $3.6 Million- 
-More Companies See Benefit, Note Positive Changes to Audit- 
http ://fei. media room, com/index. php?s=43&item =204 

Uniform Computer Information Transactions Act - UCITA 

The UCITA was originally proposed as an amendment to the UCC Act. It governs the sale of 
software, databases and other relevant contracts involving information. One thing that it ac¬ 
complishes is that it standardizes laws relating to information across states, which many other 
bills fail to do. The act has, however, faced a significant amount of opposition, as many feel 
that it was written on the coat tails of software lobbyists rather than in the best interests of 
the people. The act does, ultimately, get ridiculous, as it gives benefits to businesses over 
consumers. For example, as I read, if I buy a video game and finish it, I should not be able to 
sell it to my friend according to UCITA. It also lessens the accountability of software compa¬ 
nies (Windows Vista anyone?. http://www.badsoftware.com/uccindex.htm 
http://www.badsoftware.eom/uccindex.htm#Background 
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Fair Use 

Summary: Kinkos was found to be in violation of copyright laws when photocopied sections of 
school books were sold to students as "coursepacks" for their university classes. Three of the 
four requirements of fair use were met, however the impact on the market was what led the 
court to rule against Kinkos. It was believed that by including these copies in a "coursepack" 
the original publishers of the books would lose a significant amount of revenue since the entire 
book was not being purchased. COPYING FOR EDUCATION Basic Books, Inc. v. Kinko's Graph¬ 
ics Corp.,758 F.Supp. 1522 (S.D.N.Y. 1991). Kinko's was held to be infringing copyrights when 
it photocopied book chapters for sale to students as "coursepacks" for their university classes. 
Purpose: When conducted by Kinko's, the copying was for commercial purposes, and not for 
educational purposes. Nature: Most of the works were factual-history, sociology, and other 
fields of study-a factor which weighed in favor of fair use. Amount: The court analyzed the 
percentage of each work, finding that five to twenty-five percent of the original full book was 
excessive. Effect: The court found a direct effect on the market for the books, because the 
coursepacks competed directly with the potential sales of the original books as assigned read¬ 
ing for the students. Conclusion: Three of the four factors leaned against fair use. The court 
specifically refused to rule that all coursepacks are infringements, requiring instead that each 
item in the "anthology" be subject individually to fair-use scrutiny, 
http://www. copyright, iupui. edu/FUsummaries.htm Entire details: 

http://www.bc.edu/bc orq/avo/cas/comm/free soeech/basicbooks.html 

Again, permission was received by students to include their materials in the article as exam¬ 
ples. 
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APPENDIX C - PARTIAL SYLLABUS 

1ST 452 - Legal and Regulatory Environment of Privacy and Security (3) 

Credit Hours: 3.0 

Official Course Description: 

1ST 452 - Legal and Regulatory Environment of Privacy and Security (3) Exploration of legal, 
regulatory, public policy, and ethical issues related to security and privacy for information technol¬ 
ogy professionals in public institutions, private enterprise, and IT services. 

Prerequisite: 1ST 301 or SRA 231 or equivalent 

Course Objectives: 

Upon completion of the course, the student will be able: 

To understand common legal, ethical, and regulatory issues associated with Information Tech¬ 
nology as it relates to both security and privacy. 

In addition the student will understand: 

Common legal terms related to e-commerce 

Current US and major international laws and regulations regarding privacy and security 
Specific exploration, interpretation, and understand will include: 

Privacy Polices 
HIPPA 

PATRIOT act 
UCC 

Sarbanes-Oxley 

UCITA 

Contracts 

Copyrights 

Patents 

Fair Information Practices 

Background for the course 

This course will be unlike all other courses in 1ST. It will require significant critical thinking, 
problem solving, and written and oral communications. The course will involve creation of 
Blogs that will serve as a comprehensive documentation of our semester long exploration. 
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There will be significant required discussion to fully develop our critical thinking and communi¬ 
cation skills. 


Required Texts: 

Privacy, Information and Technology Second Edition by Daniel J. Solove (Author), Paul M. 
Schwartz (Author) (2009) 

Aspen Publishers 
ISBN-13: 978-0735579101 

Additional online content. 


Significant resources will be posted in ANGEL. 


Required Materials: 

Reliable media to store assignments. 


Attendance: 

Attendance is important especially for this class. You cannot participate if you are not in atten¬ 
dance. Unexcused cuts in excess of 3 may result in a reduction of 10 % in class participation 
grade for every cut in excess of 3. Thus if you miss 5 classes your class participation grade 
will be a maximum of 80%. Also, it is unlikely you will be successful in class assignments, 
tests, or projects. In addition, after 5 absences, a deduction of 5% per absence may be de¬ 
ducted from your final grade. There are no exceptions to this attendance rule except with the 
approval of the instructor. The instructor reserves the right to reject all such requests. Late¬ 
ness is disruptive and may result in a similar penalty. 


You are expected to read all chapter material prior to the scheduled class. For testing, you 
will be responsible for all material covered in class as well all projects and assigned text 
chapters. It is imperative that you attend all scheduled classes. Material will be covered in 
class that is not in the texts. 


This class may involve hands-on time learning to use various software packages. In case of 
unavoidable absence, special effort on the part of the student is a necessity. Due to the cu¬ 
mulative nature of work done, students are expected to find out about material missed outside 
of class time and before the next class, so that normal progress in class can resume. Due to 
the amount of material we will cover, very little time can be spent reviewing material already 
covered. 


Research Projects and Presentations: 

During the semester, students will have the opportunity to participate in team and individual 
projects. Students will be required to research topics beyond those covered in the course text 
to complete some project requirements. Students will be required to evaluate themselves and 
fellow team members. Grades for these projects will be based on the successful completion of 
stated project criteria and student evaluation feedback. At the end of project, students are 
required to make a formal presentation about results of their work, problems encountered, 
and their approach to solving the problem. 

Course Grading: 
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The purpose of a grade is to give students feedback on the degree of their success in assimi¬ 
lating course content. In IST452, the following grading scale has been adopted and will hope¬ 
fully provide each student with the opportunity for a good grade. The following grading struc¬ 
ture is based on the required plus/minus system of the University. 


Grade Breakdown: 


A 

94 - 100 

A- 

90 - 93 

B+ 

87 - 89 

B 

84 - 86 

B- 

80 - 83 

C+ 

75 - 79 

c 

70 - 74 

D 

60 - 69 

F 

59 and below 


All final grading will be the responsibility of the Instructor with general weighting given below. 
The syllabus is subject to change. 


Tests/Quizzes 

25% 

Class Participation 

25% 

Bloq participation/In-class assiqnments 

50% 


The primary goal of the 1ST program is to build leaders for a digital global economy. This is 
best achieved through active learning. Class discussion, assignments, and presentations are 
designed to develop your oral, written, and critical thinking skills. Leaders require all these 
skills in today's economy. 

General Grading Rubric 


Product, Project, or Assignment 

Very Poor or 
Absent 

Below 

Avg. 

Satisfactory 

Good 

Excellent 

1. Mechanics of writing, grammar, 
punctuation 

0 

2 

3 

3.5 

4 

2. Organization and structure 

0 

2 

3 

3.5 

4 

3. Creativity and/or insight 

0 

2 

3 

3.5 

4 

4. Demonstrates knowledge 

0 

2 

3 

3.5 

4 
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General Term Schedule (subject to changes): 


Week 


Jan 12 

Introduction, Intro to eLaw 

Jan 19 

e-Law 

Jan 26 

e-Law 

Feb 2 

e-Law 

Feb 9 

Privacy 

Feb 16 

Privacy 

Feb 23 

Privacy 

Mar 2 

Privacy 

Mar 9 

Privacy 

Mar 16 

Privacy 

Mar 23 

Security 

Mar 30 

Security 

Apr 6 

Security 

Apr 13 

Security 

Apr 20 

Security 

Apr 27 

Security 

May 4 

No final 


1ST 452 Projects: 


Bloqi 

The course will involve creation of Blogs that will serve as a comprehensive documentation of 
our semester long exploration. Participation will be frequent and required. Grading will be 
based on the general grading rubric. 


In-class Assignments 


Each week we may spend a portion of class with discussion activities including cases, models, 
standards, exercises or programs. Some may involve individual activities and some may be 
group activities. This is a very important part of our course. If you miss class you still must 
complete the in-class assignment. If you must miss a class, you need to obtain instructions 
and materials from a fellow classmate. In addition, you are expected to keep up to date on 
current events. Individuals may be selected to read and discuss an appropriate current event 
for class. 
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Assignment Submission: 


In general assignments will be submitted electronically through ANGEL. Also in general, as¬ 
signments will be posted in ANGEL, http://cms.psu.edu 


Discussion Activities: 

Each week we may spend a portion of class with discussion activities. These may take the 
form of in-class assignments, review of homework, discussions and/or presentations. Some 
may involve individual activities and some may be group activities. These are required and 
will be included in the class participation grade. All homework must be done prior to class on 
the scheduled due date. 


Homework: 

Students will be assigned homework problems from the course text or supplemental source. 
All assignments that are not submitted by the specified due date will receive a penalty. 


Course Rules: 


Mutual respect and courtesy is required. 


There will be no Internet surfing, Instant Messaging, text messaging, or email correspondence 
allowed during class. All cell phones and pagers must be turned off or to silent position. Viola¬ 
tion of this policy will result in significant reduction in class participation and in-class assign¬ 
ment grades. There may be times when these activities will be permitted. These times will be 
clearly stated. 


If you have any questions, please email me through my PSU email account not through ANGEL 
email. If you must miss a class, you need to obtain instructions and materials from a fellow 
classmate. 


Text chapters and assigned outside readings will be expected prior to class to facilitate learn¬ 
ing and class discussions. 
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